"Passwords, passphrases and/or security codes are used in
virtually every interaction between users and information
systems. Most forms of user authentication, as well as
file and data protection, rely heavily on user or vendor
supplied passwords. In addition, since properly
authenticated access is often not logged, or if logged not
likely to arouse suspicion, a compromised password is an
opportunity to explore a system virtually undetected. An
attacker in possession of a valid user password would
have complete access to any resources available to that
user, and would be significantly closer to being able to
access other accounts, nearby machines, and perhaps even
obtain root level access on this system. Despite this
threat, user and administrator level accounts with poor or
non-existent passwords are still very common. As well,
organizations with a well-developed and enforced password
policy are still uncommon.
The most common password vulnerabilities are: (a) user
accounts that have weak or nonexistent passwords; (b) users
accounts with widely known or openly displayed passwords;
(c) system or software created administrative level
accounts with widely known, weak, or nonexistent passwords;
and (d) weak or well known password hashing algorithms
and/or user password hashes that are stored with weak
security and are visible to anyone.
The best defense against all of these vulnerabilities is a
well developed password policy that includes: detailed
instructions for users to create strong passwords;
explicit rules for users to ensure their passwords remain
secure; a process in place for IT staff to promptly replace
weak/insecure/default or widely known passwords and
to promptly lock down inactive or close down unused
accounts; and a proactive and regular process of checking
all passwords for strength and complexity. "
In today's ISC Webcast, we talked about an example of a password
list that was used by malware known as "IRCBot" to guess/brute force
passwords to get access on systems.
This list is available at:

Check out the Webcast archives:http://www.sans.org/webcasts/archive.phpMailbag - Netsky
We received a report from a user who had been seeing a
large number of DNS queries from a small set of his high
speed customers. The answer, as pointed by Rick Wanner, was
that it was caused by NetSky. From his words: "...I didn't
realize that the deciding factor for what is an email
address is anything with an "@" sign in the name, or
contents would be tried as an email address. So people
with big Internet caches, and who don't clean up their
cookies were generating thousands of MX requests per minute
to their default DNS server."
-----------------------------------------------------------------